[
https://issues.apache.org/jira/browse/CB-12809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vishal Mishra closed CB-12809.
------------------------------
Resolution: Won't Fix
With the new features introduced in
[XMLHttpRequest|https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest],
this plugin is not needed any more. Migrating from this plugin to using the
new features of
[XMLHttpRequest|https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest],
is explained in this [Cordova blog
post|https://cordova.apache.org/blog/2017/10/18/from-filetransfer-to-xhr2.html].
> Google Play Blocker: Unsafe SSL TrustManager Defined
> ----------------------------------------------------
>
> Key: CB-12809
> URL: https://issues.apache.org/jira/browse/CB-12809
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-plugin-file-transfer (DEPRECATED)
> Affects Versions: 1.6.1
> Reporter: Aleksandr Movsesyan
> Priority: Critical
> Labels: android
>
> We are using a security tool that reported this issue.
> The following Java classes defined within the App define a custom
> (https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html)
> X509TrustManager that does not validate SSL certificates:
> org.apache.cordova.filetransfer.FileTransfer$3
> The affected classes define an empty checkServerTrusted() method, thereby
> disabling SSL validation and hence accepting any SSL certificate as valid, if
> the class is used when connecting to a server over SSL/TLS.
> Regardless of whether affected classes are used or not at runtime, Google
> Play is blocking any App that defines such an insecure X509TrustManager as
> detailed on Google's support
> page(https://support.google.com/faqs/answer/6346016):
> "Beginning May 17, 2016, Google Play will block publishing of any new apps or
> updates containing the unsafe implementation of the interface
> X509TrustManager."
> Additionally, Google's presentation at the Black Hat 2016 conference
> (https://www.blackhat.com/docs/us-16/materials/us-16-Kralevich-The-Art-Of-Defense-How-Vulnerabilities-Help-Shape-Security-Features-And-Mitigations-In-Android.pdf)
> details (on slide 45) the vulnerable code found in the vulnerable classes,
> that Google Play will ban:
> // Dangerous code: do not do this!
> SLContext ctx = SSLContext.getInstance("TLS");
> ctx.init(null, new TrustManager[] {
> new X509TrustManager() {
> public void checkClientTrusted(X509Certificate[] chain, String
> authType) {}
> public void checkServerTrusted(X509Certificate[] chain, String
> authType) {}
> public X509Certificate[] getAcceptedIssuers() {return new
> X509Certificate[]{}; } } }, null);
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> Lastly, a list of Apps that have already been blocked by Google Play because
> of this issue can be found
> here(https://stackoverflow.com/search?q=%5Bandroid-security%5D+checkServerTrusted).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
